[isf-wifidog] How to Auth non-browser based devices
Max Horváth
max.horvath at maxspot.de
Mer 1 Fév 06:41:22 EST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Benoit Grégoire wrote:
> On January 31, 2006 11:37 pm, Jason Potter wrote:
>> Hi All,
>>
>> Just an extension to the discussion below, what are the approaches to
>> giving free wifi to devices in a venue that don't have a browser.
>
> 1-Tie MAC adress(es) to a single user account who vouches for it
> (http://dev.wifidog.org/ticket/19). Only slightly more insecure
> than normal
> captive portal operation.
As I wrote in the ticket's comments this has one disadvantage:
The most comfortable way would be if a registered user could enter
say 2 or 3 MAC ids in his profile. The only problem we have is, how
to detect, if a user cheats. He could just enter the MAC id of his
notebook and voila - he'd never see the login screen again ...
> 2-Whitelist specific servers ("perfectly" secure, allows the group
> to ask
> money from their operators for the priviledge since they run a
> business on
> your network). Good for the DS and VOIP operators, doesn't work
> for allowing
> you to connect to you own asterisk server for example.
This is the way we should go ... and about the servers: different
groups could talk
about it with the companies and list those servers on our wiki - so
every group
would know about them and could whitelist those servers, too ...
> 3-Whitelist specific ports (such as SIP). Once you do that, anyone
> can tunnel
> any kind of traffic trough them.
This should only be done in addition to point 2.
Otherwise the users could cheat. In case I know that port 5060 is
open, for example,
I could tunnel all traffic through this port and I as a user would
never see the portal
again ...
> 4-Don't run any authentication at all. Works fine for those who
> only run a
> portal to display a splash page and terms of service.
Only for the folks with a splash screen only :( ...
> I hadn't tought of Pete's solution:
> 5-Whitelist a range of MAC adresses by manufacturer. Only works
> when the
> manufacturer and the service to be whitelisted are the same, so it
> would work
> for the DS, but not for a wifi phone). Also, once the users know
> whose
> device is whitelisted, they no longuer have to guess of find a MAC
> adress to
> spoof.
Kinda same problem as with point one ... Once I as a user know, that
I can use my
DS without authentication I'd just have to change the MAC of my
notebook and I'd
be in the internet ...
> If anyone has other ideas, please speak up. So far there is no
> perfect
> solution.
So the only secure way I see is a combination of point 2 and 3.
Cheers, Max!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFD4J5i+BKgC+eQ3ooRAl9RAJ9W8MYcHD3XF0clZxxrHIN50bealQCdHlw4
YB5rFew2Gq7mjbfmMF5kutw=
=Ovjz
-----END PGP SIGNATURE-----
More information about the WiFiDog
mailing list